• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 311
  • Last Modified:

PIX VPN/XP CLient question.

I have a user who telecommutes from home over VPN.  The problem is - when he's connected to the VPN - he can't browse web pages external to the office network - only internal web sites.  It seems I have had success in the past in VPN Properties/Networking Tab/Internet Protocol (TCP/IP)/Properties button/Advanced Button/check "Use default gateway on remote network".  But this hasn't been a consistent fix...  Any ideas?
0
LTWadmin
Asked:
LTWadmin
  • 2
2 Solutions
 
lrmooreCommented:
Which client does he use? PIX supports both Cisco VPN client and the Microsoft PPTP client.
Microsoft client works if you un-check the use default gateway on remote network box, but may break their ability to access internal resources.
Cisco client is totally controlled by the PIX. The network admin would have to enable "split-tunneling" which may or may not be against company policy.
0
 
LTWadminAuthor Commented:
Irmoore -

Thanks.  He's using the the Microsoft PPTP Client in XP Pro.  Is split tunneling a security risk?
0
 
muffCommented:

Split-tunnelling can be a risk because it enables a PC to be connected to untrusted and trusted networks simultaneously.  Untrusted = the internet.

Imagine a piece of malicious software that connected to an attackers site and waited for instructions while the VPN client was connected to the company network.  The user PC could then provide the attacker the same level of access to the company network as the user.

This risk can be mitigated somewhat by ensuring that the users antivirus software is up to date prior to allowing a connection, and limiting what the user can install on their PC.

A more secure alternative that provides the user with access to the web while connected to the company network would be to use a proxy server that is on the company network.  In other words, don't use split-tunnelling at all - web requests would be forwarded to the proxy which would request the web page on the users behalf.

koan
0
 
lrmooreCommented:
Yes, split tunneling is a "HUGE" risk.
Problem with using Microsoft client is that the USER is in full control with one little tick of the box []Use default gateway on remote network. Un-tick it and split-tunneling is enabled.
Cisco VPN client is 100% controlled by the ADMIN
One of the best solutions is to setup a web proxy at HQ, force use of Cisco VPN client and force users to go through the proxy.
The reason that it is not consistent is because of the classful nature of PPTP. It all depends on the class of the IP address assigned to the client and to the remote lan.. I can explain that further if necessary, but it's a lesson in classful IP networks....
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now